CVE-2025-59944
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-03

Last updated on: 2025-10-16

Assigner: GitHub, Inc.

Description
Cursor is a code editor built for programming with AI. Versions 1.6.23 and below contain case-sensitive checks in the way Cursor IDE protects its sensitive files (e.g., */.cursor/mcp.json), which allows attackers to modify the content of these files through prompt injection and achieve remote code execution. A prompt injection can lead to full RCE through modifying sensitive files on case-insensitive fileystems. This issue is fixed in version 1.7.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-03
Last Modified
2025-10-16
Generated
2026-06-16
AI Q&A
2025-10-03
EPSS Evaluated
2026-06-14
NVD
CVE-2025-59944
EUVD
EUVD-2025-33199
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
anysphere cursor to 1.6.23 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-178 The product does not properly account for differences in case sensitivity when accessing or determining the properties of a resource, leading to inconsistent results.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Cursor, a code editor for programming with AI, in versions 1.6.23 and below. It involves case-sensitive checks that fail to properly protect sensitive files like .cursor/mcp.json on case-insensitive file systems. Attackers can exploit this by using prompt injection to modify these sensitive files, which can lead to remote code execution (RCE). The issue is fixed in version 1.7.

Impact Analysis

If exploited, this vulnerability can allow an attacker to modify sensitive files within the Cursor IDE through prompt injection, potentially leading to full remote code execution on the affected system. This means an attacker could execute arbitrary code remotely, compromising the security and integrity of your system.

Mitigation Strategies

Upgrade Cursor IDE to version 1.7 or later, as this version fixes the case-sensitive check issue that allows prompt injection and remote code execution.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-59944. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart